The past year ended with a bang for hackers, with a high-profile attack on Sony dominating news coverage in the final weeks of 2014. But what is ahead for 2015? Security experts agree that bad guys will continue to exploit more sophisticated techniques, which will require companies to adopt new approaches to defending themselves from attacks.
Here are some of the most interesting security predictions for 2015:
Security as a Differentiator
Google, WhatsApp, Yahoo and Facebook are all on record as supporters of encryption while some companies have started to proactively notify customers about issues rather than waiting for breaches to happen, said Tsion Gonen, SafeNet’s chief strategy officer, mentioning Salesforce.com as a good example of this practice. In September, it proactively warned customers of a potential attack called Dyre that may have targeted Salesforce users.
"The company itself was not vulnerable, but it still recommended that IT departments use security best practices and require employees to log in via corporate VPNs and add two-factor authentication," Gonen said.
More Weaponized Malware
Many cyber attackers use malware as "reconnaissance" first, surveying IT environments and looking for vulnerabilities, said Julian Waits, president and CEO of ThreatTrack Security. As the bad guys learn more about an organization’s security process, they know how to attack. Because of this, malware is going to become more weaponized, he predicted, adding, "The only way to defend against this is for automated analytics tools to become smarter about identifying anomalous patterns."
Bigger, Badder DDoS Attacks
The size and sophistication of DDoS attacks is growing, as evidenced by a recent attack on Hong Kong websites that reached 500 Gbps. Dave Larson, chief technology officer at Corero Network Security, expects 2015 will see the advent of terabyte DDoS attacks and "that’s if they are not already happening," he said. Because technology is often lacking to effectively record attacks of this magnitude, organizations may not realize attacks of this size are already occurring, he warned.
"In order to stay on top of these attacks and be proactive with the ability to accurately monitor attacks on their networks and defeat them in real-time, organizations need to turn to in-line purposeful DDoS defense technologies," he said. "The adoption of in-line defense technology widens the lens when it comes to defense against the evolving threat landscape."
DDoS attacks also are being utilized for more nefarious purposes beyond the denial of service itself, Larson said, with cyber criminals using them as a masking agent or obfuscation technique for other exploits. Many organizations use simple packet sampling to detect DDoS attack activity, looking for "spikes" in network activity to identify the attack. Corero is seeing instances of partial pipe saturation, where the volume is low enough that sampling doesn’t detect the attack traffic and no service outage is reported but there is still enough DDoS activity occurring to fill up logging files, overwhelm firewall state tables and force IPS devices into layer 2 fall-back mode.
"While chaos ensues, exploits, malware, data leakage and other major security breaches are occurring in the network without notice," Larson said. "Organizations must keep up with the evolving threat landscape and quickly understand that DDoS is more than just the denial of service."
Rethinking Security Costs
Organizations think they spend a great deal of money on security already, but they probably ought to be spending more, said Ian Pratt, co-founder and EVP of products, Bromium, in an opinion echoed by other experts.
"Looking at where those costs go, a lot of money is spent on the security teams that they have, dealing with all the alerts that they’re getting. Very large numbers of false positives that these all produce need to be investigated, which requires a significant team to do or ignore at your peril," he said. "In 2015 we need to look at enterprises and at the effectiveness of their security spending, whether they need to shift things around to actually reduce some of the operational costs that they have and make things more effective."
Increasing Threat Intelligence
Ian Amit, Vice President, ZeroFOX, said he expects to see more threat intelligence activity in 2015, with threat intelligence becoming a key component of emerging security practices. "More focused threat intelligence providers, those who provide a custom feed based on the organization being protected, will become critical in tuning the defensive posture of organizations, allowing them to be more deliberate and effective in combating threats," he said.
As part of threat intelligence efforts, organizations will need to learn more about the motives of hackers, said Corey Nachreiner, WatchGuard’s director of security strategy and research. "Hackers have gone from mischievous kids exploring, to cyber activists pushing a message, to organized criminals stealing billions in digital assets, to nation states launching long-term espionage campaigns. Knowing the motives and tactics of various actors helps us understand which ones threaten our organization the most and how they prefer to attack."
Coalfire CEO Rick Dakin expects to see an increased use of crowdsourcing, machine intelligence and cognitive/advanced analytics to detect to help organizations stay ahead of threats. In addition, he said, "We will see the beginnings of a shift from cyber-defense to cyber-offense, from attempting to build impenetrable systems to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them."
Monetizing Mobile Malware
While malware that jumps from traditional operating systems to mobile platforms, or vice versa, is a killer hacking combination, it has not been particularly damaging – but WatchGuard’s Nachreiner believes that will change in 2015. "Attackers will find new ways to monetize mobile infections. Expect mobile malware to have more teeth, for example, with customized ransomware designed to make your mobile unusable until you pay up," he said.
Mobile Attack Motivations
With the auto-login capability of mobile apps, mobile devices will increasingly be targeted for broader credential-stealing or authentication attacks to be used at a later date, said Carl Leonard, principal security analyst, Websense. "These attacks will use the phone as an access point to the increasing cloud-based enterprise applications and data resources that the devices can freely access."
Health Care in the Cross Hairs
Health care records hold a treasure trove of personally identifiable information that can be used in a multitude of attacks and various types of fraud, which makes them an attractive target for hackers, said Leonard. At the same time, health care spends less on security than other verticals. "In an environment still transitioning millions of patient records from paper to digital form, many organizations are playing catch-up when it comes to the security challenge of protecting personal data. As a result, cyber-attacks against this industry will increase," he said.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.